CVE-2023-2360
📋 TL;DR
CVE-2023-2360 is a Cross-Origin Resource Sharing (CORS) misconfiguration vulnerability in Acronis Cyber Infrastructure that allows attackers to steal sensitive information from authenticated users. It affects ACI deployments before build 5.2.0-135. Attackers can exploit this by tricking users into visiting malicious websites.
💻 Affected Systems
- Acronis Cyber Infrastructure
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete compromise of sensitive data including authentication tokens, configuration details, and potentially administrative credentials, leading to full system compromise.
Likely Case
Unauthorized access to sensitive information such as session tokens, configuration data, and potentially user data stored in the ACI management interface.
If Mitigated
Limited or no data exposure if proper CORS policies are enforced and the system is not internet-facing.
🎯 Exploit Status
Exploitation requires user interaction (visiting malicious site) but uses standard web attack techniques.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Build 5.2.0-135 or later
Vendor Advisory: https://security-advisory.acronis.com/advisories/SEC-4215
Restart Required: Yes
Instructions:
1. Backup current configuration. 2. Update Acronis Cyber Infrastructure to build 5.2.0-135 or later via the management interface or CLI. 3. Restart affected services as prompted. 4. Verify the update completed successfully.
🔧 Temporary Workarounds
Restrict CORS Origins
linuxManually configure CORS policies to only allow trusted origins
# Requires modifying ACI web server configuration
# Consult Acronis documentation for specific CORS configuration
Network Segmentation
allIsolate ACI management interface from untrusted networks
# Configure firewall rules to restrict access
# Example: iptables -A INPUT -p tcp --dport 443 -s trusted_network -j ACCEPT
🧯 If You Can't Patch
- Implement strict network access controls to limit ACI management interface exposure
- Deploy web application firewall with CORS policy enforcement
🔍 How to Verify
Check if Vulnerable:
Check ACI version via management interface or run: acronis-aci versionCheck Version:
acronis-aci versionVerify Fix Applied:
Confirm version is 5.2.0-135 or later and test CORS headers using browser developer tools or curl📡 Detection & Monitoring
Log Indicators:
- Unusual cross-origin requests to ACI endpoints
- Multiple failed authentication attempts from diverse origins
Network Indicators:
- HTTP requests with suspicious Origin headers to ACI management endpoints
- Unexpected CORS preflight requests
SIEM Query:
web.url contains "acronis" AND http.request.header.origin != "expected_domain"